1

I am developing a Rails app which relies on a lot of jQuery AJAX requests to the server, in the form of JSONs. The app has no authentication (it is open to the public). The data in these requests is not sensitive in small chunks, but I want to avoid external agents from having access to the data, or automating requests (because of the server load and because of the data itself).

I would ideally like to include some kind of authentication whereby only requests can only be made from javascript in the same domain (i.e. clients on my website), but I don't how or if this can be done. I am also thinking about encrypting the query strings and/or the responses.

Thank you.

Nicolas
  • 2,297
  • 3
  • 28
  • 40

4 Answers4

1

What do you mean only your app should request these JSONs? A client will eventually have to trigger an event, otherwise no request will be sent to the server.

Look at the source code of any of your app's pages. You will notice an authenticity token, generated by the protect_from_forgery method in your application controller - from the api:

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

By default, this is enabled and included in your application controller.

If you really need to check whether a request comes from your own IP, have a look at this great question.

Community
  • 1
  • 1
Dennis Hackethal
  • 13,662
  • 12
  • 66
  • 115
  • Thanks. I meant that the requests can only be made by real clients on my website, not elsewhere (i.e. somebody typing http://myapp.com/rest/request.json?params=blablabla on a browser, or a script). My problem is that all of these requests are GET. – Nicolas Dec 15 '12 at 16:08
  • If the json shall only be accessed from your own app, check the second link I provided. You only need to know your app server's ip. – Dennis Hackethal Dec 15 '12 at 16:20
  • I don't think that's what I'm looking for, I mean that the requests can only be made from javascript in my website, I edited the question to make that clear. – Nicolas Dec 15 '12 at 16:21
1
I want to avoid external agents from having access to the data... because of the server load and because of the data itself.

  1. If you're really concerned about security, this other question details how to implement an API key: What's the point of a javascript API key when it can be seen to anyone viewing the js code

  2. You shouldn't solve problems you don't have yet, server load shouldn't be a concern until it actually is a problem. Why don't you monitor server traffic and implement this feature if you notice too much load from other agents?

Community
  • 1
  • 1
Fiona T
  • 1,921
  • 1
  • 15
  • 18
1

I ended up passing token=$('meta[name=csrf-token]').attr("content")in the request URL and comparing with session[:_csrf_token] in the controller.

Nicolas
  • 2,297
  • 3
  • 28
  • 40
0
def check_api
  redirect_to root_url, :alert => 'effoff' unless request.host =~ /yourdomain.com/
end

that should work to check your domain. Not sure you need the js part, but it's something.

pjammer
  • 9,489
  • 5
  • 46
  • 56